pfSense contains a great feature
called "Captive Portal". It allows you to set up an open Wifi hotspot and
restrict it for access to only certain people. Similar to hotspots you find
everywhere these days (i.e. trains, stations, hotels, restaurants).
A cheap though very nice piece of hardware I can greatly recommend to use with the pfSense Captive Portal functionality would be the TPLink TL-WA801ND. I'm using a version 1.2 device of this type and am not sure if the latest version 2.0 which completely looks different offers the same functionality. Check with TPLink if you're interested in buying and can't find a 1.2 anymore. What makes this device perfect for the captive portal is that it only costs about 30 euro's and it allows 1, 2, 3 or even 4 wireless identifiers to be broadcasted simultaneously from only 1 device. What makes it even better is that it also offers functionality to send data received over each of these 4 wireless identifiers using an unique VLAN tag per wireless identifier! This means for example using one of this device, you can set up both a secure access point using WPA2 and a strong encryption key as well as a less secure WPA/WPA2 access point using an easy to hand out protection key as well as an open access point without encryption where you can have the captive portal play a role in providing access to your network/the internet. pfSense is perfectly capable of dealing with these VLAN tags and separating the network traffic again and have them comply with different firewall rules per VLAN. So the highly secure VLAN might have full access where the open wifi traffic only might have TCP 80 (HTTP) and TCP 443 (HTTPS) access. Awesome stuff!
To enable the captive portal, simply build a (virtual) machine which is going
to host the pfSense installation and configure the basics first (network card
assignment, ip addresses, routing, firewall rules, etc). Once you're done with
that, I would advice to create a backup of your pfSense configuration through
Diagnostics -> Backup/restore in the menu at the top. Just in case something
would go wrong, you can always revert to your configured basics.
Turning your pfSense server into a captive portal is as easy as going to
Services -> Captive Portal in the top menu, creating a new zone with the +
icon, entering any name you would like to assign to it and clicking
can now edit the zone by clicking on the E icon. In the settings you can turn on
the captive portal by checking the box for Enable captive portal and
selecting the network interface on which you want to turn on the captive portal.
This may also very well be a network interface you created with a specific VLAN
tag, so you could add this captive portal funtionality to your already existing
pfSense server without having to add an extra physical network card.The
rest of the configurable options on that page speak for themselves. There's one
option on that page that I want to highlight here because I had to dive into the
source code of pfSense to figure out how it works exactly. I couldn't find any
documentation on it. Could be that I didn't look carefully enough and took the
sourcecode turn to quickly, but hey.. I'm a developer so attracted to code by
Anyway, the option I mean is called "Allow only users/groups with
'Captive portal login' priviledge set" which can be found at the
authentication section on that page.
this option functionally does is allow you to utilize both the local user
database of pfSense to specify user accounts which are allowed to log on through
your captive portal. Excellent option to get started without right a way making
it more complicated with authenticating to external sources. When this option is
checked, you can designate users in this local pfSense user database to be
allowed to log on through the portal. For example the admin account you use to
administer your pfSense server you typically do not want to allow to be used as
a captive portal login account as well. So how to use this option? By following
the next steps: